It’s time to kill the static password

How do you manage your passwords? Do you set them all to approximately the same value, for fear of forgetting them? Or do you write them down in a little book, or in a spreadsheet? Perhaps you use clever character combinations or a piece of software to manage them on your behalf?

If you feel passwords are a struggle to manage, you are not alone. A recent UK Government study found that nearly half of respondents used unsafe passwords, such as the names of their pets, for fear of forgetting them.

Another study reported that UK consumers have over a hundred online accounts each, every one of which requires a username/password combination. Unsurprisingly this results in frequent requests for password changes as the blighters are repeatedly forgotten. Even the bloke who invented them, Fernando Corbato, thinks they have become “kind of a nightmare.”

Beyond even these challenges, passwords are pretty pointless. It’s not that they may be stored by the companies we rely on unencrypted (which is dumb in itself). Nor that they so frequently need to be used in interfaces which are then left available for anyone to browse on sites such as SourceForge (also dumb).

No, it’s that we are at a point in technology’s history where the information we send and receive cannot be guaranteed to be protected. On computers and potentially smartphones, key loggers can watch what we type; Wi-Fi and mobile networks use very weak security which can easily be tapped; and proxy-type attacks and social engineering make it all too easy for us to hand over the keys to our own virtual kingdoms.

We live in the age of surveillance. Which means however good a static password is, whatever combination of characters, numbers and symbols it uses is irrelevant, since it can be seen anyway. Many protocols are even kind enough to indicate exactly which bit of the data stream is the password, so it can be picked up by a filter or a log search.

There is an answer, and it is called two-factor authentication. While the password may protect against someone else connecting to your Amazon account on a public computer, there needs to be more protection against the bigger, and more likely threat of an automated hack stealing your credentials and using them without your knowledge.

Using two factors — a password plus specified characters from a PIN, or a number generated by a token — significantly increases the level of protection. The good news is that many public services already offer it, and it’s also being adopted in more enterprise environments (more than nine in ten IT pros expect their organizations to expand use of this technology, according to a recent Gemalto survey). Consumers would do well to take advantage of the facility. The not so good news is, it doesn’t really help with the general stresses of password management.

But at least it results in better security. Which was the whole point in the first place.